<html>
<head><meta charset="utf-8"><title>Warning when using yanked crate? · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Warning.20when.20using.20yanked.20crate.3F.html">Warning when using yanked crate?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="182884032"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Warning%20when%20using%20yanked%20crate%3F/near/182884032" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Warning.20when.20using.20yanked.20crate.3F.html#182884032">(Dec 08 2019 at 08:50)</a>:</h4>
<p>I read a proposal somewhere that cargo could warn when a build involves a yanked crate. That sounds quite useful, doesn't it? <a href="https://github.com/rust-lang/cargo/issues/7169#issuecomment-539233845" target="_blank" title="https://github.com/rust-lang/cargo/issues/7169#issuecomment-539233845">This comment</a> says</p>
<blockquote>
<p>I think I have mitigated some of the concern by issuing warnings on yanked dependencies. </p>
</blockquote>
<p>but I am not sure if that applies only to <code>install</code> or also to <code>build</code>. Does anyone know more here?</p>



<a name="182884050"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Warning%20when%20using%20yanked%20crate%3F/near/182884050" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Warning.20when.20using.20yanked.20crate.3F.html#182884050">(Dec 08 2019 at 08:51)</a>:</h4>
<p>Looks like it is for <code>install</code> only: <a href="https://github.com/rust-lang/cargo/commit/5f616eb18e979650beb50bfb955dc4213137a234" target="_blank" title="https://github.com/rust-lang/cargo/commit/5f616eb18e979650beb50bfb955dc4213137a234">https://github.com/rust-lang/cargo/commit/5f616eb18e979650beb50bfb955dc4213137a234</a></p>



<a name="183329289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Warning%20when%20using%20yanked%20crate%3F/near/183329289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Warning.20when.20using.20yanked.20crate.3F.html#183329289">(Dec 13 2019 at 05:09)</a>:</h4>
<p>Linting for yanked crates seems like something RustSec could do, especially if it looked at the local copy of the <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> index...</p>



<a name="183329331"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Warning%20when%20using%20yanked%20crate%3F/near/183329331" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Warning.20when.20using.20yanked.20crate.3F.html#183329331">(Dec 13 2019 at 05:10)</a>:</h4>
<p>really good idea!</p>



<a name="183329612"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/Warning%20when%20using%20yanked%20crate%3F/near/183329612" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/Warning.20when.20using.20yanked.20crate.3F.html#183329612">(Dec 13 2019 at 05:17)</a>:</h4>
<p><a href="https://github.com/RustSec/cargo-audit/issues/170" target="_blank" title="https://github.com/RustSec/cargo-audit/issues/170">https://github.com/RustSec/cargo-audit/issues/170</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>